MTA-STS & TLS-RPT

DANE record checker

Instantly look up TLSA records for any domain, check your DANE DNS configuration, and verify certificate usage fields, free, no signup required.

Free DANE lookup, no signup required.

About

The DANE Record Checker looks up TLSA records for your mail server and verifies DNSSEC status, the foundation for DNS-based Authentication of Named Entities (DANE).

DANE lets mail servers publish TLS certificate or public-key associations in DNS, so senders can verify they are connecting to the correct server without relying solely on public CAs.

TLSA record lookup

Find TLSA records published at _port._protocol.mxhost for your primary MX server.

DNSSEC verification

Check whether DNSSEC is validated, required for DANE to be trustworthy.

Certificate association details

See usage, selector, matching type, and certificate hash data for each TLSA record.

Actionable recommendations

Get specific next steps when TLSA or DNSSEC records are missing or misconfigured.

How to use this tool

Enter domain & port

Provide your domain, SMTP port (default 25), and protocol (TCP, UDP, or SCTP).

Resolve MX & query TLSA

The tool finds your primary MX host and queries _25._tcp.mxhost for TLSA records.

Check DNSSEC

DNSSEC validation status is verified via the AD flag in DNS responses.

Review records & guidance

Read TLSA details, validation messages, and recommendations for your setup.

Understanding the results

DANE requires both TLSA records on your MX host and validated DNSSEC on the domain. Without DNSSEC, TLSA records cannot be trusted.

TLSA found + DNSSEC validated

TLSA records exist with DANE-TA or DANE-EE usage and DNSSEC is validated.

TLSA not found

No TLSA record at the query name, DANE cannot be enforced for this mail service.

DNSSEC not validated

TLSA may exist but DNSSEC is missing or unvalidated, senders cannot trust DANE data.

Rollover records: N/A

PKIX-TA/PKIX-EE usage records used for certificate rollover, N/A if none are published.

Important result fields

TLSA Status

Found or Not Found, whether TLSA records exist at the query name.

DNSSEC

Detected, Signed (unvalidated), or Not Detected, DNSSEC chain validation status.

Query Name

The TLSA lookup name, e.g. _25._tcp.mail.example.com.

Usage

PKIX-TA, PKIX-EE, DANE-TA, or DANE-EE, how the certificate association is applied.

Selector

Certificate (full cert) or SPKI (public key), what the association data matches.

Matching type

Full certificate, SHA-256 hash, or SHA-512 hash of the association data.

Best practices & recommendations

Enable DNSSEC first

DANE is only meaningful with validated DNSSEC, enable and verify DNSSEC before publishing TLSA.

Use DANE-EE or DANE-TA usage

Usage values 2 (DANE-TA) or 3 (DANE-EE) are required for DANE enforcement, not PKIX modes alone.

Plan certificate rollover

Publish rollover TLSA records before renewing certificates to avoid delivery interruptions.

Combine with MTA-STS

DANE and MTA-STS address different layers, many organizations use MTA-STS for broad coverage and DANE where DNSSEC is available.

Frequently asked questions

DNS-based Authentication of Named Entities lets you publish TLS certificate or public-key fingerprints in DNS (TLSA records) so senders can verify your mail server identity.

TLSA records in unsigned DNS could be spoofed. DNSSEC ensures senders receive authentic, untampered TLSA data.

A DNS record at _port._protocol.hostname containing certificate association data, usage, selector, matching type, and hash or certificate bytes.

No. This tool checks DNS records and DNSSEC only. Certificate hash matching requires a live TLS handshake, which is not performed here.

Port 25 (SMTP) is the default for inbound mail. Use the port your MX server accepts TLS connections on.

Additional TLSA records with PKIX-TA or PKIX-EE usage published before certificate renewal so senders accept both old and new certificates during transition.

Adoption is growing but less universal than MTA-STS. DANE is most valuable when your DNS zone has full DNSSEC deployment.

The tool requires MX records to determine which host to query for TLSA. Add MX records or check the correct domain.

Run this check once, or have it watched 24/7.

SenderSignal monitors these signals continuously: 48 blacklists, SPF, DKIM, DMARC, TLS and more, with alerts in Slack, email and signed webhooks.

Start monitoring free All free tools